Background
It is a policy of the Department of Health and Social Care that all bodies processing patient information in England provide assurances via the Data Security and Protection Toolkit (DSPT). This is undertaken on a yearly self-assessment basis, with the outputs published on the NHS England website NHS England - DSPT toolkit
It is also a policy position of the Department of Health and Social Care that all bodies processing confidential patient information in England under a CAG application have their DSPT self-assessment submission additionally reviewed by NHS England, to provide assurances that the organisation has achieved the appropriate ‘standards met’ status. This is required annually for the duration of the support. The NHS England assurance is provided on an organisation basis. Once the assurance is provided it is valid for all studies within the organisation to process confidential patient information without consent.
Please note that evidence is required that NHS England have reviewed the organisation’s DSPT and determined that standards have been met. Evidence of the organisation’s self-assessed grade is not sufficient.
How to provide security assurance for ‘section 251’ applications.
In order to provide evidence that DSPT standards have been met, you should undertake the following:
- Contact the DSPT Team at NHS England by emailing ssd.nationalservicedesk@nhs.net to request review of organisational DSPT submissions relevant to the CAG application. Do not contact any other function within NHS England as you may be given inaccurate advice
- Provide the following in the email:
- Inform them a review of the relevant DSPT submission is required to progress a ‘section 251 application’
- The CAG application reference number(s) (if known)
- The full name of all organisations physically processing information under support under the CAG reference number
- The relevant DSPT submission references / ODS Code (if known)
- Once complete, NHS England will email you directly to confirm ‘Standards Met’ in relation to the review.
- This email will be copied to the CAG and include the application reference..
What version of DSPT is accepted?
We are currently accepting NHS England confirmation of security assurances for the 2024/25 DSPT submission.
The submission deadline for the 2024/25 DSPT self-assessment was 30 June 2025. To support the transition to the new year, we continued to accept the 2023/24 DSPT assurances for any applications, amendments or annual reviews that were supported prior to Friday 15 August 2025. After this date, only assurances against the 2024/25 submission will be accepted.
If you will be submitting new applications, amendments or annual reviews during this transition period, we encourage you to seek security assurances, as above, for the 2024/25 DSPT.
Security assurances for organisations processing confidential patient information generated within Wales.
Security assurances for confidential patient information generated within Wales are provided by either a Caldicott Principles in Practice (CPiP) Report or a completed Welsh Information Governance Toolkit. The relevant CPIP out-turn report, or IG Toolkit, is provided directly by Digital Health and Care Wales (DHCW) to CAG.
Alternatively, where a Welsh organisation has a DSPT assured by NHS England this will also be accepted.
Security assurances for organisations processing confidential patient information generated within Scotland.
An approval letter from the Public Benefit and Privacy Panel (PBPP), where processing is taking place in Scotland, is accepted as evidence of adequate security assurance for organisations in Scotland.
Alternatively, where a Scottish organisation has a DSPT assured by NHS England this will also be accepted.
If you have questions about security assurances please email cag@hra.nhs.uk